TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.
Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.
If someone breaches it, they get everything.
IMO they are great if you control them yourself and take reasonable precautions, which means not using any public website password managers.
You can self-host bitwarden, for example. Or use a 100% local one. If you do host something like bitwarden, it's now on you to make sure it's up to date and following best practices, which is pretty annoying.
That’s not quite true of stuff like lastpass or Bitwarden (self hosted or as a service).
What people get (and got, when they breached lastpass) is a bunch of encrypted data that still needs the master password to unlock once decrypted.
If it’s really worrisome, pair the master pass phrase with a hardware token and be done.
With Bitwarden, the recent major issue relates to the essential security of getting into the vault itself. Self-hosters like myself needed to pay attention to this and change their settings from the defaults, at the cost of performance, in order to mitigate fairly realistic attacks.